
<html>
<!--  -->
<!-- #BeginTemplate "/Templates/TAO_Security.dwt" -->
<head>
<!-- #BeginEditable "doctitle" -->
<title>TAO -- Using SSLIOP</title>
<!-- #EndEditable -->
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script language="JavaScript">
<!--
function MM_preloadImages() { //v3.0
  var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_findObj(n, d) { //v3.0
  var p,i,x;  if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
    d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
  if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
  for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document); return x;
}

function MM_nbGroup(event, grpName) { //v3.0
  var i,img,nbArr,args=MM_nbGroup.arguments;
  if (event == "init" && args.length > 2) {
    if ((img = MM_findObj(args[2])) != null && !img.MM_init) {
      img.MM_init = true; img.MM_up = args[3]; img.MM_dn = img.src;
      if ((nbArr = document[grpName]) == null) nbArr = document[grpName] = new Array();
      nbArr[nbArr.length] = img;
      for (i=4; i < args.length-1; i+=2) if ((img = MM_findObj(args[i])) != null) {
        if (!img.MM_up) img.MM_up = img.src;
        img.src = img.MM_dn = args[i+1];
        nbArr[nbArr.length] = img;
    } }
  } else if (event == "over") {
    document.MM_nbOver = nbArr = new Array();
    for (i=1; i < args.length-1; i+=3) if ((img = MM_findObj(args[i])) != null) {
      if (!img.MM_up) img.MM_up = img.src;
      img.src = (img.MM_dn && args[i+2]) ? args[i+2] : args[i+1];
      nbArr[nbArr.length] = img;
    }
  } else if (event == "out" ) {
    for (i=0; i < document.MM_nbOver.length; i++) {
      img = document.MM_nbOver[i]; img.src = (img.MM_dn) ? img.MM_dn : img.MM_up; }
  } else if (event == "down") {
    if ((nbArr = document[grpName]) != null)
      for (i=0; i < nbArr.length; i++) { img=nbArr[i]; img.src = img.MM_up; img.MM_dn = 0; }
    document[grpName] = nbArr = new Array();
    for (i=2; i < args.length-1; i+=2) if ((img = MM_findObj(args[i])) != null) {
      if (!img.MM_up) img.MM_up = img.src;
      img.src = img.MM_dn = args[i+1];
      nbArr[nbArr.length] = img;
  } }
}
//-->
</script>
</head>
<body bgcolor="#FFFFFF" onLoad="MM_preloadImages('fireworks/nav_bar_r02_c2_f3.gif','fireworks/nav_bar_r02_c2_f2.gif','fireworks/nav_bar_r04_c2_f3.gif','fireworks/nav_bar_r04_c2_f2.gif','fireworks/nav_bar_r04_c2_f4.gif','fireworks/nav_bar_r06_c2_f3.gif','fireworks/nav_bar_r06_c2_f2.gif','fireworks/nav_bar_r06_c2_f4.gif','fireworks/nav_bar_r08_c2_f3.gif','fireworks/nav_bar_r08_c2_f2.gif','fireworks/nav_bar_r08_c2_f4.gif','fireworks/nav_bar_r10_c2_f3.gif','fireworks/nav_bar_r10_c2_f2.gif','fireworks/nav_bar_r10_c2_f4.gif','fireworks/nav_bar_r12_c2_f3.gif','fireworks/nav_bar_r12_c2_f2.gif','fireworks/nav_bar_r12_c2_f4.gif','fireworks/nav_bar_r02_c2_f4.gif')">
<div id="Layer2" style="position:absolute; left:89px; top:32px; width:792px; height:125px; z-index:2">
  <h1 align="center"><img src="images/CORBA_Security.jpg" width="500" height="131" align="middle"></h1>
</div>
<div id="Layer3" style="position:absolute; left:257px; top:199px; width:625px; height:1px; z-index:3"><!-- #BeginEditable "Body" -->
  <h2>Using SSLIOP</h2>
  <hr>
  <ul>
    <li><a href="#loading">Loading and Configuring the SSLIOP Pluggable Protocol</a></li>
    <li><a href="#ssliop_current">Using the <code>SSLIOP::Current</code> Object</a></li>
  </ul>
  <hr>
  <h3><a name="loading"></a>Loading and Configuring the SSLIOP Pluggable Protocol</h3>
  <p>TAO implements SSL as a pluggable protocol. As such, it must be dynamically
    loaded into the ORB. You must use a service configurator file to do this.
    The service configurator options for the ORB are described in detail in <a href="../docs/components.html?rev=HEAD&content-type=text/html">
    Options for TAO Components</a>. In this case you have to create a <code>svc.conf</code>
    file that includes: </p>
  <pre>
     dynamic SSLIOP_Factory Service_Object *
    &nbsp;&nbsp; TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory() ""
     static Resource_Factory "<font color="#009900">-ORBProtocolFactory SSLIOP_Factory</font>"</pre>
  <p>Note that &quot;<code>TAO_SSLIOP:_make...</code>&quot; is part of the first
    line. This will load the SSLIOP protocol from the library called <code>TAO_SSL</code>
    and then use that protocol in the ORB. The SSLIOP protocol has a number of
    configuration options that we describe below. </p>
  <h4>SSLIOP Options</h4>
  <p>Once the SSLIOP protocol is loaded you may want to setup the private key
    and certificate files, the authentication level and similar features. This
    is done by setting more options in the service configurator file, for example:
  </p>
  <pre>dynamic SSLIOP_Factory Service_Object *
 &nbsp;TAO_SSLIOP:_make_TAO_SSLIOP_Protocol_Factory()"<font color="#009900">-SSLAuthenticate SERVER</font>"</pre>
  <p>will enforce validation of the server certificate on each SSL connection.
    Note that &quot;<code>TAO_SSLIOP:_make...</code>&quot; is part of the first
    line. The complete list of options is: </p>
  <p>
  <table border="2" cellspacing="2" cellpadding="0" align="center" width="100%" >
    <tr>
      <th>Option</th>
      <th>Description</th>
    </tr>
    <tr>
      <td><code>-SSLNoProtection</code></td>
      <td>
        <p>On the client side, this option forces request invocations to use the
          standard insecure IIOP protocol.</p>
        <p>On the server side, use of this option allows invocations on the server
          to be made through the standard insecure IIOP protocol. Request invocations
          through SSL may still be made.</p>
        <p>This option will be deprecated once the <code>SecurityLevel2::SecurityManager</code>
          interface as defined in the CORBA Security Service is implemented.</p>
      </td>
    </tr>
    <tr>
      <td><code>-SSLCertificate</code> <em>FORMAT:filename</em></td>
      <td> Set the name of the file that contains the certificate for this process.
        The file can be in Privacy Enhanced Mail (<code>PEM</code>) format or
        ASN.1 (<code>ASN1</code>). Remember that the certificate must be signed
        by a Certificate Authority recognized by the client. </td>
    </tr>
    <tr>
      <td><code>-SSLPrivateKey</code> <em>FORMAT:filename</em></td>
      <td> Set the name of the file that contains the private key for this process.
        The private key and certificate files must match. It is extremely important
        that you secure your private key! By default the <code>OpenSSL</code>
        utilities will generate pass phrase protected private key files. The password
        is prompted when you run the CORBA application. </td>
    </tr>
    <tr>
      <td><code>-SSLAuthenticate</code> <em>which</em></td>
      <td> Control the level of authentication. The argument can be <code>NONE</code>,
        <code>SERVER</code>, <code>CLIENT</code> or <code>SERVER_AND_CLIENT</code>.
        Due to limitations in the SSL protocol <code>CLIENT</code> implies that
        the server is authenticated too. </td>
    </tr>
    <tr>
      <td><code>-SSLAcceptTimeout</code> <em>which</em></td>
      <td>Set the maximum amount of time to allow for establishing a
      SSL/TLS passive connection, <em>i.e.</em> for accepting a
      SSL/TLS connection.  The default value is <code>10</code>
      seconds.
      <p>See the discussion in <a
        href="http://bugzilla.dre.vanderbilt.edu/show_bug.cgi?id=1348">Bug 1348</a> in our <a href="http://bugzilla.dre.vanderbilt.edu/index.cgi">bug
      tracking system</a> for the rationale behind this option.</td>
    </tr>
    <tr>
      <td><code>-SSLDHParams</code> <em>filename</em></td>
      <td>Set the filename containing the Diffie-Hellman parameters to
    be used when using DSS-based certificates.  The specified
      file may be a file containing only Diffie-Hellman
      parameters created by "<code>openssl dhparam</code>", or
      it can be a certificate containing a PEM encoded set of
      Diffie-Hellman parameters.</td>
    </tr>
    <tr>
      <td><code>-SSLCipherList</code> <em>cipher-spec</em></td>
      <td>Sets the list of available ciphers.  The cipher specification string
          should be formatted per the openssl ciphers(1) man page.</td>
    </tr>
    <tr>
      <td><code>-SSLServerCipherOrder</code></td>
      <td>When choosing a cipher, use the server's preferences instead of
           the client preferences. When not set, the SSL server will always
           follow the clients preferences.</td>
    </tr>
    <tr>
      <td><code>-SSLCAfile</code> <em>filename</em></td>
      <td>Provide a file containing a trusted certificate, overriding the file named by SSL_CERT_FILE environment variable.</td>
    </tr>
    <tr>
      <td><code>-SSLCApath</code> <em>directory</em></td>
      <td>Provide a directory from which all files are read for trusted certificates overriding the directory named by SSL_CERT_DIR environment variable.<</td>
    </tr>
    <tr>
      <td><code>-SSLrand</code> <em>filelist</em></td>
      <td>Provide additional entropy from the named sources. Works in conjuction with any value supplied via SSL_RAND_FILE environment variable.</td>
    </tr>
    <tr>
      <td><code>-SSLVersionList</code> <em>versions</em></td>
      <td>Unlike the cipher list option, this takes a list of SSL versions to support. List is a comma separated string containing SSLv23. If <code>-SSLVersionList</code> is not supplied, SSL will support all of these versions. </td>
    </tr>
    <tr>
      <td><code>-SSLPassword</code> <em>specifier</em></td>
      <td>if the supplied <code>-SSLPrivateKey</code> is password protected, this option enables overriding the default password entry. The supplied specifier can be <code>prompt:</code><em>message</em> to prompt a user for entry, <code>file:</code><em>filename</em> reads a plain text file, <code>env:</code><em>envvarname</em>, or simply <em>thepassword</em>. Clearly using any option apart from prompt: weakens the protection. </td>
    </tr>
    <tr>
      <td><code>-SSLCheckHost</code></td>
      <td>Adds a verification of the peer address to the connection completion process. This feature requires OpenSSL 1.0.2 or newer and performs a reverse DNS lookup to find the originating hostname. If the version of ssl used does not support <code>X509_check_host()</code>, the peer address does not map to a cannonical host name, or the peer did not provide an X.509 certificate, the connection will fail. </td>
    </tr>
    <tr>
      <td><code>-SSLEcName</code> <em>curve_name</em></td>
      <td>Provide the name of the Elliptic Curve to use for ECDH cipher.  To see a list of the available curve names use the command <em>openssl ecparam -list_curves</em> </td>
    </tr>

  </table>
  <h4>Environment variables</h4>
  <p>The SSLIOP protocol uses the following environment variables to control its
    behavior. </p>
  <p>
  <table border="2" cellspacing="2" cellpadding="0" width="100%" >
    <tr>
      <th>Environment Variable</th>
      <th>Description</th>
    </tr>
    <tr>
      <td><code>SSL_CERT_FILE</code> <em>filename</em></td>
      <td> The name of the file that contains all the trusted certificate authority
        self-signed certificates. By default it is set to the value of the <code>ACE_DEFAULT_SSL_CERT_FILE</code>
        macro. </td>
    </tr>
    <tr>
      <td><code>SSL_CERT_DIR</code> <em>directory</em></td>
      <td> The name of the directory that contains all the trusted certificate
        authority self-signed certificates. By default it is set to the value
        of the <code>ACE_DEFAULT_SSL_CERT_DIR</code> macro. This directory must
        be indexed using the OpenSSL format, i.e. each certificate is aliased
        with the following link:
        <pre>
$ ln -s cacert.pem `openssl x509 -noout -hash < cacert.pem`.0
</pre>
        Consult the documentation of your SSL implementation for more details.
      </td>
    <tr>
      <td><code>SSL_EGD_FILE </code><em>filename</em></td>
      <td>The name of the UNIX domain socket that the <a href="http://www.lothar.com/tech/crypto/">Entropy
        Gathering Daemon (EGD)</a> is listening on.</td>
    <tr>
      <td><code>SSL_RAND_FILE </code><em>filename</em></td>
      <td>The file that contains previously saved state from OpenSSL's pseudo-random
        number generator.</td>
  </table>
  <hr>
  <h3><a name="ssliop_current"></a>Using the <code>SSLIOP::Current</code> Object</h3>
  <p></p>
  <p>TAO's SSLIOP pluggable protocol allows an application to gain access to the
    SSL session state for the current request. For example, it allows an application
    to obtain the SSL peer certificate chain associated with the current request
    so that the application can decide whether or not to reject the request. This
    is achieved by invoking certain operations on the <code>SSLIOP::Current</code>
    object. The interface for <code>SSLIOP::Current</code> object is:</p>
  <p><code>module <b>SSLIOP</b> {</code></p>
  <p><code><font color="#0000FF"># pragma prefix</font> &quot;<font color="#009900">omg.org</font>&quot;</code></p>
  <blockquote>
    <p><code> <font color="#FF0000">/// A <b>DER</b> encoded X.509 certificate.</font><br>
      typedef sequence&lt;octet&gt; ASN_1_Cert;</code></p>
    <p><code> <font color="#FF0000">/// A chain of <b>DER</b> encoded X.509 certificates.
      The chain<br>
      /// is actually a sequence. The sender's certificate is<br>
      /// first, followed by any Certificate Authority<br>
      /// certificates proceeding sequentially upward.</font><br>
      typedef sequence&lt;ASN_1_Cert&gt; SSL_Cert;</code></p>
  </blockquote>
  <p><code> &nbsp;&nbsp;&nbsp;<font color="#FF0000">/// The following are TAO
    extensions.</font><br>
    <font color="#0000FF"># pragma prefix</font> &quot;<font color="#009900">ssliop.tao</font>&quot;</code></p>
  <blockquote>
    <p><code> <font color="#FF0000">/// The SSLIOP::Current interface provides
      methods to<br>
      /// gain access to the SSL session state for the current<br>
      /// execution context.</font><br>
      local interface <b>Current</b> : CORBA::Current {</code> </p>
    <blockquote>
      <p><code> <font color="#FF0000">/// Exception that indicates a SSLIOP::Current<br>
        /// operation was invoked outside of an SSL<br>
        /// session.</font><br>
        exception NoContext {};</code></p>
      <p><code> <font color="#FF0000">/// Return the certificate chain associated
        with<br>
        /// the current execution context. If no SSL<br>
        /// session is being used for the request or<br>
        /// upcall, then the NoContext exception is<br>
        /// raised.</font><br>
        SSL_Cert get_peer_certificate_chain ()<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;raises
        (N</code><code>oContext);</code></p>
    </blockquote>
    <p><code>};</code></p>
  </blockquote>
  <p><code> <font color="#0000FF"># pragma prefix</font> &quot;<font color="#009900">omg.org</font>&quot;</code></p>
  <p><code>};</code></p>
  <h4>Obtaining a Reference to the <code>SSLIOP::Current</code> Object</h4>
  <p>A reference to the <code>SSLIOP::Current</code> object may be obtained using
    the standard <code>CORBA::ORB::resolve_initial_references()</code> mechanism
    with the argument <code>&quot;<font color="#009900">SSLIOPCurrent</font>&quot;</code>.
    Here is an example:</p>
  <blockquote>
    <p><code>int argc = 0;</code></p>
    <p><code>CORBA::ORB_var orb =<br>
      &nbsp;&nbsp; CORBA::ORB_init (argc, &quot;&quot;, &quot;<font color="#009900">my_orb</font>&quot;);</code></p>
    <p><code>CORBA::Object_var obj =<br>
      &nbsp;&nbsp; orb-&gt;resolve_initial_references (&quot;<font color="#009900">SSLIOPCurrent</font>&quot;);</code></p>
    <p><code><b>SSLIOP</b>::<b>Current_var</b> ssliop =<br>
      &nbsp;&nbsp;<b>SSLIOP</b>::<b>Current</b>::_narrow (obj.in ());</code></p>
  </blockquote>
  <h4>Examining the Peer Certificate for the Current Request Using <a href="http://www.openssl.org/">OpenSSL</a></h4>
  <p>Once a reference to the <code>SSLIOP::Current</code> object has been retrieved,
    the peer certificate for the current request may be obtained by invoking the
    <code>SSLIOP::get_peer_certificate</code> method, as follows:</p>
  <blockquote>
    <p><code><font color="#FF0000">// This method can throw a <b>SSLIOP::Current::NoContext</b><br>
      // exception if it is not invoked during a request being<br>
      // performed over SSL.</font><br>
      <b>SSLIOP::ASN_1_Cert_var</b> cert =<br>
      &nbsp;&nbsp; ssliop-&gt;get_peer_certificate ();</code></p>
  </blockquote>
  <p>The retrieved X.509 peer certificate is in DER (a variant of ASN.1) format.
    DER is the on-the-wire format used to transmit certificates between peers.
  </p>
  <p> OpenSSL can be used to examine the certificate. For example, to extract
    and display the certificate issuer from the DER encoded X.509 certificate,
    the following can be done:</p>
  <blockquote>
    <p><code><font color="#0000FF">#include</font> &lt;<font color="#009900">openssl/x509.h</font>&gt;<br>
      <font color="#0000FF">#include</font> &lt;<font color="#009900">iostream</font>&gt;</code><code><br>
      <font color="#FF0000">.<br>
      .<br>
      .</font> <br>
      <font color="#FF0000">// Obtain the underlying buffer from the<br>
      // SSLIOP::ASN_1_Cert.</font><br>
      CORBA::Octet *der_cert = cert->get_buffer ();<br>
      <br>
      char buf[BUFSIZ];<br>
      <br>
      <font color="#FF0000">// Convert the DER encoded X.509 certificate into<br>
      // OpenSSL's internal format.</font><br>
      <b>X509</b> *peer = ::<b>d2i_X509</b> (0, &der_cert, cert->length ());<br>
      <br>
      ::<b>X509_NAME_oneline</b> (<br>
      &nbsp;&nbsp;&nbsp;::<b>X509_get_issuer_name</b> (peer),<br>
      &nbsp;&nbsp;&nbsp;buf,<br>
      &nbsp;&nbsp; BUFSIZ);<br>
      <br>
      std::cout &lt;&lt; &quot;<font color="#009900">Certificate issuer: </font>&quot;
      &lt;&lt; buf &lt;&lt; std::endl;<br>
      <br>
      ::<b>X509_free</b> (peer);</code></p>
  </blockquote>
  <p>&nbsp;</p>
  <address></address>
  <table width="100%" border="0">
    <tr>
      <td>
        <p><font face="Georgia, Times New Roman, Times, serif"><font face="Arial, Helvetica, sans-serif"><a href="mailto:ossama@dre.vanderbilt.edu">Ossama
          Othman<br>
          </a></font></font><font face="Georgia, Times New Roman, Times, serif"><a href="mailto:coryan@uci.edu"><font face="Arial, Helvetica, sans-serif">Carlos
          O'Ryan</font></a><font face="Arial, Helvetica, sans-serif"> </font></font></p>
      </td>
      <td><a href="http://www.openssl.org/"><img src="images/openssl_button.gif" width="102" height="47" align="right" border="0"></a></td>
    </tr>
  </table>
  <h2>&nbsp;</h2>
  <!-- #EndEditable --></div>
<div id="Layer1" style="position:absolute; left:87px; top:162px; width:153px; height:373px; z-index:4"><!-- Image with table -->
  <table border="0" cellpadding="0" cellspacing="0" width="158">
    <!-- fwtable fwsrc="Untitled" fwbase="nav_bar.gif" -->
    <tr> <!-- Shim row, height 1. -->
      <td><img src="/fireworks/shim.gif" width="9" height="1" border="0" name="undefined_2"></td>
      <td><img src="/fireworks/shim.gif" width="141" height="1" border="0" name="undefined_2"></td>
      <td><img src="/fireworks/shim.gif" width="8" height="1" border="0" name="undefined_2"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="1" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 1 -->
      <td colspan="3"><img name="nav_bar_r01_c1" src="fireworks/nav_bar_r01_c1.gif" width="158" height="35" border="0"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="35" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 2 -->
      <td rowspan="12"><img name="nav_bar_r02_c1" src="fireworks/nav_bar_r02_c1.gif" width="9" height="342" border="0"></td>
      <td><a href="index.html" onMouseOut="MM_nbGroup('out');"  onMouseOver="MM_nbGroup('over','Home','fireworks/nav_bar_r02_c2_f2.gif','fireworks/nav_bar_r02_c2_f4.gif',1)"  onClick="MM_nbGroup('down','navbar1','Home','fireworks/nav_bar_r02_c2_f3.gif',1)" ><img name="Home" src="fireworks/nav_bar_r02_c2.gif" border="0" onLoad=""></a></td>
      <td rowspan="12"><img name="nav_bar_r02_c3" src="fireworks/nav_bar_r02_c3.gif" width="8" height="342" border="0"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="36" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 3 -->
      <td><img name="nav_bar_r03_c2" src="fireworks/nav_bar_r03_c2.gif" width="141" height="5" border="0"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="5" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 4 -->
      <td><a href="Download.html" onMouseOut="MM_nbGroup('out');"  onMouseOver="MM_nbGroup('over','Download','fireworks/nav_bar_r04_c2_f2.gif','fireworks/nav_bar_r04_c2_f4.gif',1)"  onClick="MM_nbGroup('down','navbar1','Download','fireworks/nav_bar_r04_c2_f3.gif',1)" ><img name="Download" src="fireworks/nav_bar_r04_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
      <td><img src="/fireworks/shim.gif" width="1" height="36" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 5 -->
      <td><img name="nav_bar_r05_c2" src="fireworks/nav_bar_r05_c2.gif" width="141" height="5" border="0"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="5" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 6 -->
      <td><a href="http://www.dre.vanderbilt.edu/~schmidt/TAO.html" onMouseOut="MM_nbGroup('out');"  onMouseOver="MM_nbGroup('over','TAO','fireworks/nav_bar_r06_c2_f2.gif','fireworks/nav_bar_r06_c2_f4.gif',1)"  onClick="MM_nbGroup('down','navbar1','TAO','fireworks/nav_bar_r06_c2_f3.gif',1)" ><img name="TAO" src="fireworks/nav_bar_r06_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
      <td><img src="/fireworks/shim.gif" width="1" height="36" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 7 -->
      <td><img name="nav_bar_r07_c2" src="fireworks/nav_bar_r07_c2.gif" width="141" height="5" border="0"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="5" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 8 -->
      <td><a href="SSLIOP.html" onMouseOut="MM_nbGroup('out');"  onMouseOver="MM_nbGroup('over','SSLIOP','fireworks/nav_bar_r08_c2_f2.gif','fireworks/nav_bar_r08_c2_f4.gif',1)"  onClick="MM_nbGroup('down','navbar1','SSLIOP','fireworks/nav_bar_r08_c2_f3.gif',1)" ><img name="SSLIOP" src="fireworks/nav_bar_r08_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
      <td><img src="/fireworks/shim.gif" width="1" height="36" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 9 -->
      <td><img name="nav_bar_r09_c2" src="fireworks/nav_bar_r09_c2.gif" width="141" height="5" border="0"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="5" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 10 -->
      <td><a href="Security_Service.html" onMouseOut="MM_nbGroup('out');"  onMouseOver="MM_nbGroup('over','Security_Service','fireworks/nav_bar_r10_c2_f2.gif','fireworks/nav_bar_r10_c2_f4.gif',1)"  onClick="MM_nbGroup('down','navbar1','Security_Service','fireworks/nav_bar_r10_c2_f3.gif',1)" ><img name="Security_Service" src="fireworks/nav_bar_r10_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
      <td><img src="/fireworks/shim.gif" width="1" height="36" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 11 -->
      <td><img name="nav_bar_r11_c2" src="fireworks/nav_bar_r11_c2.gif" width="141" height="5" border="0"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="5" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 12 -->
      <td><a href="FAQ.html" onMouseOut="MM_nbGroup('out');"  onMouseOver="MM_nbGroup('over','FAQ','fireworks/nav_bar_r12_c2_f2.gif','fireworks/nav_bar_r12_c2_f4.gif',1)"  onClick="MM_nbGroup('down','navbar1','FAQ','fireworks/nav_bar_r12_c2_f3.gif',1)" ><img name="FAQ" src="fireworks/nav_bar_r12_c2.gif" width="141" height="36" border="0" onLoad=""></a></td>
      <td><img src="/fireworks/shim.gif" width="1" height="36" border="0" name="undefined_2"></td>
    </tr>
    <tr valign="top"><!-- row 13 -->
      <td><img name="nav_bar_r13_c2" src="fireworks/nav_bar_r13_c2.gif" width="141" height="101" border="0"></td>
      <td><img src="/fireworks/shim.gif" width="1" height="101" border="0" name="undefined_2"></td>
    </tr>
    <!--   This table was automatically created with Macromedia Fireworks 3.0   -->
    <!--   http://www.macromedia.com   -->
  </table>
</div>
<table border="0" cellpadding="0" cellspacing="0">
  <tr>
    <td>&nbsp;</td>
  </tr>
</table>
</body>
<!-- #EndTemplate -->
</html>
